Contents

Compiler and Toolchain

glibc malloc heap corruption checking to avoid double-free and similar attacks. These checks have existed in glibc for several years now and are active for all our distributions starting with SUSE Linux Enterprise Server 9.

The "Fortify Source" extensions in gcc and glibc are enabled for all packages by default (using -D_FORTIFY_SOURCE=2) since SUSE Linux 10.0 and SUSE Linux Enterprise 10. This extension brings:

Compile buffer overflow checking for various C string / memory functions. On a overflow of a buffer that is already provable at compile time a warning is emitted by the compiler and caught by our build processes.

Runtime buffer overflow checking for the C string / memory functions for destination buffers whose size is known at compile time. An overflow here triggers a controlled abort of the program.

Exploitation of format string problems trigger a controlled abort of the program.

Runtime stack overflow checking using -fstack-protector is used in some critical packages in SUSE Linux 10.1 and SUSE Linux Enterprise 10 and enabled by default for all packages starting with openSUSE 10.2.

Marking stack and heap non-executable to make NX possible is done for nearly all packages for some time now.

-z relro is enabled by default since SUSE Linux 10.1, which makes attacks on specific ELF sections no longer work.

While a number of selected binaries were built as Position Independend Executables (PIE) for a while, on May 2017 Tumbleweed was switched to enabling PIE per default for all binaries.

Kernel

Hardware based NX (No eXecute, also known as DEP) support is enabled for Stack and Heap since SUSE Linux Enterprise Server 9 on:

all AMD64/EM64T processors.

on x86 machines using the "bigsmp" or "pae" kernel and the processor being able to support the NX bit.

We do not include Software NX at this time, since it is not in the mainline kernel and likely never will be.

Address Space Randomization is used for the stack and library mappings since SUSE Linux Enterprise 10 and SUSE Linux 10.1.